Full Disclosure mailing list archives
OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange
From: niclas <lists () datenritter de>
Date: Sun, 25 May 2008 21:15:55 +0200
Alex, you recently wrote that you tested the CA-certificates - but you didn't test the certificates which have been *signed* by the CAs. They are a serious problem. The attack described in your recent post can easily be avoided by exchanging vulnerable certificates, BUT: If somebody grabbed an old (vulnerable) certificate quickly he or she could generate the private key which fits to it and then abuse the cert. for a man in the middle attack. I think all servers which had a vulnerable certificate, even for a short time, are still not secure - at least as long as the old certificates are still valid, which depends on the validity date saved in the certificate, only. No, CRLs don't work. Firefox for example does not check for CRLs (default setting), making certificate revocation senseless. I assume, other Browsers don't check CRLs either. And what about the german tax-software ELSTER? German CCC Member Fefe describes this here (english and german): http://blog.fefe.de/?ts=b6c9ec7e His post is dated 23rd of May. He says, somebody allready got the old cert. of "a248.e.akamai.net". My comment with screenshots of Firefox' settings pages and an error message here (german): http://blog.datenritter.de/archives/208-gefaehrliche-Angriffsmoeglichkeit-durch-das-OpenSSL-Debakel.html I think the only option is to change domain names. :-( IMHO Felix is totally right in his criticism of PKI. When you download a browser you get a bunch of CA-Certificates but no reason to trust even a few of them. n.
Everybody keeps talking about changing your keys and updating OpenSSL, but this is not the only issue with the Debian/OpenSSL debacle. Consider that someone has sniffed your SSH traffic (say at a securit conference?). If either a compromised server or client were involved, you have got a problem as the Diffie-Hellmann key exchange at the start of the SSH session can now be broken. This means that all the data (passwords, SSH tunnel anyone?) can now be considered compromised if you are reasonably paranoid.
(...)
You can find the script at http://www.cynops.de/download/check_weak_dh_ssh.pl.bz2
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Identify weak Debian OpenSSL clients in SSH DH key exchange Alexander Klink (May 24)
- OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange niclas (May 25)